Folks,
I've patched and recompiled my system without a problem. My concern is how can I verify whether the binary components have indeed been patched. Am I able to determine the patch level of the kernel (and other components) from the binaries? Say I assume responsibility for a system, how can I determine if its been patched?

Kernel: use sysctl kern.version. It provides the first two lines of your dmesg.

Userland: you can use file(1), ls(1) in combination with which(1), etc.

If you use the -stable branch, you can be sure to pick up all patches at the time of your build. And if you have multiple platforms of the same architecture, you can make your own binary release of -stable for quick updates of those machines.

See FAQ 5.1 on the -stable branch, and the release(8) man page. Other parts of FAQ 5 can be helpful for building -stable and creating a release.

Verifying userland has been updated is complicated, this is where having an established written record of updates is a good idea.

On Unix systems, when a file is modified the mtime value of it's inode is updated, using this information you can attempt to determine when it was replaced.. and compare it with the time the kernel was replaced.

When adopting a previously maintained system, regardless of OS, it's always complicated to reverse engineer the extent of the modifications made to it by the previous maintainer(s).

It is safe to rebuild both the kernel and userland again, obtain the vanilla source from an official mirror, and update it via CVS or using errata patches.